[Openid-specs-ab] end_session endpoint parameter specs

Torsten Lodderstedt torsten at lodderstedt.net
Sat Jan 18 08:43:59 UTC 2014


Hi Todd,

I think your proposal to make the id token hint required if the post logout uri is present limits applicability of the logout mechanism. We see the need to trigger a logout from pages, which did not previously process a login (portal, landing page). This would be impossible.

General note: I think the security consideration section must discuss open redirection at the end session endpoint. I assume registration of post logout uri serves the purpose of preventing this threat but this is not documented.

regards,
Torsten.

> Am 17.01.2014 um 22:45 schrieb Todd W Lainhart <lainhart at us.ibm.com>:
> 
> Last week I filed: 
> 
> https://bitbucket.org/openid/connect/issue/914/session-5-missing-client_id-parameter 
> 
> ...where I stated that a required client_id parm was missing that allowed for the verification of the post_logout_uri value.  I've implemented this endpoint, and I think that I see that this parm may not be necessary. 
> 
> Section 5 of the session mgmt. spec says this: 
> 
> //=========== 
> This specification also defines the following parameters that are passed as query parameters in the logout request:
> id_token_hint 
> RECOMMENDED. Previously issued ID Token passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client. This is used as an indication of the identity of the End-User that the RP is requesting be logged out by the OP. The OP need not be listed as an audience of the ID Token when it is used as an id_token_hint value. 
> post_logout_redirect_uri 
> OPTIONAL. URL to which the RP is requesting that the End-User's User Agent be redirected after a logout has been performed. The value MUST have been previously registered with the OP, either using the post_logout_redirect_uris Registration parameter or via another mechanism. If supplied, the OP SHOULD honor this request following the logout. 
> 
> 
> //=========== 
> 
> I would reword these definitions to say something along the following lines: 
> 
> post_logout_redirect_uri  OPTIONAL.  The URL to which the RP is requesting that the End-User's User Agent be redirected to after the logout has been performed.  The value MUST have been previously registered with the OP, either using the post_logout_redirect_uris Registration parameter or via another mechanism.  If supplied, id_token_hint MUST be specified. 
> 
> id_token_hint REQUIRED if "post_logout_redirect_uri" is specified, otherwise RECOMMENDED.  The previously issued ID Token passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client. This is used as an indication of the identity of the End-User that the RP is requesting be logged out by the OP. If "post_logout_redirect_uri" is specified, then the "aud" member of this token MUST be a single element, and MUST be the client_id to which the specified "post_logout_redirect_uri" is registered. 
> 
> Additionally, a decision should be made as to whether a state parameter should be included that can be round-tripped via the post_logout_redirect_uri.  Either that, or the value of the id_token_hint parm is returned via the post_logout_redirect_uri redirect. 
> 
> The implication of this is that the end_session_endpoint can be called with no parameters, an id_token_hint, or both id_token_hint and post_logout_redirect_uri.
> 
> 
> 
> 
> 
> 
> 
> Todd Lainhart
> Rational software
> IBM Corporation
> 550 King Street, Littleton, MA 01460-1250
> 1-978-899-4705
> 2-276-4705 (T/L)
> lainhart at us.ibm.com
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140118/596c4c8b/attachment.html>


More information about the Openid-specs-ab mailing list